Security Best Practices
When you create a new crypto wallet, you are provided with a series of words that grants you access to your wallet if you forget your original password. Metamask provides a 12-word Secret Recovery Phrase when you first create a wallet. Make sure to store this in a secure place offline. Never share your Secret Recovery Phrase with anyone. If your Secret Recovery Phrase is stolen, the hacker can access all of the contents of your wallet so make sure to properly secure your seed phrase.
Note that you cannot edit your Secret Recovery Phrase and the one first issued to you will always be linked to your wallet. If you lose your Secret Recovery Phrase, you will not be able to access your wallet and its contents will be unrecoverable. Foundation is not able to access your wallet in any way.
As Web3 adoption accelerates, ecosystems blossom, and more cryptoassets are exchanged, scams and hacks are growing in number accordingly. Whilst following the critical security rules for using MetaMask will keep your wallet safe, it is beneficial to understand the types of scams you may encounter. Knowing what to keep an eye out for will considerably improve your security on Web3.
To be clear, this article will focus on prevention rather than how to respond to being hacked or scammed. This is because the irreversibility of blockchain transactions means you will have almost zero chance of retrieving stolen funds. Instead, it is worthwhile to focus your efforts on building robust security habits and prevent getting to this point in the first place.
To cut to the chase, here is the tip, i.e. the crucial security implications of these scams:
- Never, ever share your secret recovery phrase.
- Remember that MetaMask will never contact you regarding customer support issues outside official channels.
- Consider getting a hardware wallet.
Spoofing involves hiding or disguising identity to enable malicious activity, literally spoofing the identity of the malicious party to make it believable and appear trustworthy.
Fraudsters often use this method in tandem with the closely related practice of phishing, through which they attempt to obtain personal information from you directly. Hand in hand, these two methods can easily deceive, and the sophistication of these hacks has grown in step with the popularity of crypto and digital assets, with ever more potential victims entering the Web3 space.
A spoofing hack will target your secret recovery phrase (also known as a seed phrase), as this can be used to restore your wallet and will provide a hacker with access to your private keys and the wallet's contents. MetaMask is a non-custodial wallet, meaning you are responsible for keeping your secret recovery phrase secure.
In practice, a classic spoofing attack on your MetaMask wallet could go something like this:
- 2.A malicious account (potentially a bot, or at least using a bot to scope you out) identifies you as a target due to your requirement for MetaMask support, and will reply to your tweet or send a DM. The account will be configured to resemble an official MetaMask support channel and could include our fox logo, a vaguely convincing Twitter handle and content and replies which read professionally. Another approach could be for the attacker to pose as a MetaMask support engineer, even including a headshot and name.
- 3.Using their spoofed identity, the bad actor will rely on you believing that they are an official MetaMask support channel/engineer and talk you into handing over your secret recovery phrase/private key to resolve your problem. For example, if your issue was a slow or pending transaction, they may offer to look into the issue but request your secret recovery phrase to do so.
- 4.With their hands on your secret recovery phrase, the bad actor can access your private keys and drain your wallet of funds to their chosen address.
This scenario is just an example, and similar events could play out across any social media platform, messaging service, forum, or otherwise on which you share information publicly.
Whilst using MetaMask to engage with Web3 services such as DeFi can be rewarding and exciting, you need to maintain constant vigilance. Golden rules for preventing and identifying spoofing include:
- Remember MetaMask will never contact you outside of our support channels, accessed through our help center. Anyone asking you for contact information, your secret recovery phrase or details of your support issue outside of these channels is a potential scammer and should be ignored and/or reported.
- Be vigilant. If it looks like it might be a scam, it probably is. Always be observant and keep a lookout for suspicious, telltale signs. These could include:
- Requesting personal information, including anything from your name, the value of your wallet's holdings, or even your private key, which you should never, ever give to anyone.
- Requests to reach out for support, get in touch, or send a DM.
- Unprofessional language.
Most importantly, KEEP YOUR SECRET RECOVERY PHRASE SECURE, and do not hand it out regardless of how convincing the person/entity may be.
Sweeping (also known as scavenging) involves malicious parties assigning a script to your wallet which monitors transactions broadcast to the network, as well as the mempool or txpool (transaction pool) where pending transactions are temporarily stored. Once these sweeper scripts identify an incoming or outgoing transaction from the targeted wallet, they intervene to sign a new transaction before the original is complete. The funds can then be intercepted and transferred instead to a wallet written into the script by its owner.
Your wallet can only be affected by a sweeper script if you share your secret recovery phrase with a bad actor.
They are particularly troublesome for two reasons:
- The code can react far quicker than a human ever can. Racing to move your funds through your wallet faster than the script will always result in you coming out second best.
- It is subtle. It is not immediately apparent to the user that they've been hacked, as the script works out of sight. If you perform a significant transaction and you or the recipient do not receive the funds, you may at first assume the transaction is stuck or pending, or that MetaMask has misfunctioned.
The first and crucial step for a scammer is to obtain your secret recovery phrase. To do so, they may deploy a phishing attack, which could use the spoofing method outlined above. They may pose as a friendly helpdesk engineer offering to help you resolve your issue or attempt to disguise themselves as an official MetaMask support account. Another potential avenue is to set up a seemingly trustworthy Dapp--or mimic an established one--and require the user to input their private key or secret recovery phrase to use it.
If they are successful, they will be able to access your wallet, obtain your private key, and write it into the sweeper script. Possession of your private key allows the script to sign transactions without your knowledge, allowing it total and unrestrained control over wallet activity. The script will then proceed to monitor transactions coming to and from your account and sweep out any tokens you transfer in before you could possibly react.
Sweeper scripts are a nuisance to dispose of once they have infiltrated your wallet, and require you to employ very complex methods or even recruit whitehat hackers. For example, there are highly specific approaches you can take if you are attempting to get NFTs out of a compromised wallet.
Keeping your secret recovery phrase secure is the best and most dependable way to avoid falling victim to sweeper scripts. Without it, malicious actors cannot access your private key and sign transactions that steal your funds.
Another option--the relevance of which scales with how much you value your crypto holdings--is to consider buying a hardware wallet. Popular options include Ledger and Trezor. Hardware wallets are termed "cold" wallets as they store your private keys completely offline, a considerable obstacle to hackers.
As with most things Web3, you should also stay sceptical. That is to say, whenever you interact with Dapps, do not assume they are reputable and trustworthy. Always do your research and make sure you are comfortable with the risks.
The good news is that clipboard hacking does not mean you now need to be suspicious of people bearing clipboards. The bad news is that it is a genuine and insidious method for stealing your crypto.
As they are hexadecimal (base16) and are many characters long, crypto wallet addresses do not lend themselves to being memorized or typed in manually, just as you would type in an email or username.
Enter copy and paste, the unsung hero of crypto transactions. Many wallets and exchanges, including MetaMask, include built-in 'copy' or 'copy to clipboard' shortcuts that allow you to copy your wallet address with a single click. These features smooth the process of pasting into a third-party site to which you may be transferring tokens, for example.
Clipboard hacking exploits the copy and paste function to rob you. Rather than relying on users' inexperience or exploiting their trust, malicious actors will create and disseminate malware.
Once this malware has infected your computer, most likely hidden within a seemingly innocuous download, it will automatically intercept your clipboard, scan for crypto addresses, and, if it identifies one, replace it with their own. So by the time you hit paste, your address has been replaced, and you will be about to send your transaction to the hacker(s).
Naturally, as blockchain transactions are irreversible, there is no way to retrieve your funds once they are sent.
A logical first port of call is to ensure you have robust anti-malware software installed, and keep it updated. Your software should identify most potential clipboard hacking malware programs, notify you, and quarantine them before they can affect your crypto activity.
However, since there is a possibility that your anti-malware software may not detect the program, the only way to be safe is to double- and triple-check addresses before you confirm any transaction. Some hardware wallets may prompt you to do this anyway, but as transactions are irreversible, it is a worthwhile habit to adopt.
- 1.Never, ever give your secret recovery phrase to anyone. The secret recovery phrase is used to access your private key locally, meaning anyone who possesses it has full and unrestrained access to the contents of your wallet.
- 2.Remember that MetaMask will never reach out to you other than through our official support channels and will never ask for your secret recovery phrase, even in customer support interactions.
General Spam and Hacking Tips
- Never click on unfamiliar or unexpected links. If you leave Discord by clicking on a link that takes you elsewhere, it's possible that the external site can access your personal information. We recommend scanning any unfamiliar links through a site checker like Sucuri or VirusTotal before clicking on it. You may also consider running all shortened URLs through a URL expander to ensure you know exactly where you will be directed.
- Never download unfamiliar files from anyone you don't know or trust.
- Be careful about sharing personal information. Discord is a great way to meet new friends and join new communities, but as with any online interaction, protect yourself by only sharing personal information with people you know and trust.
- Discord will only make announcements through our official channels. We do not distribute information secondhand through users or chainmail messages.
Discord uses a proactive spam filter to protect the experience of our users and the health of the platform. Sending spam is against our Terms of Service. We might take action against any account, bot, or server initiating any of these or similar tactics. If you believe spam originated from Discord, email us immediately at [email protected]. If you’re getting unsolicited messages or friend requests, here’s how to change your Privacy Settings.
Here are some specific actions we might investigate and act on for the health of Discord users:
Direct Message (DM) spam
Receiving unsolicited messages or ads is a bad experience for users. These are some examples of DM spam for both users and bots:
- unsolicited messages and advertisements
- mass server invites
- multiple messages with the same content over a short period of time
Join 4 Join
Join 4 Join is the process of advertising for others to join your server with the promise to join their server in return. This might seem like a quick and fun way to introduce people to your server and to join new communities, but there’s a thin line between Join 4 Join and spam.
Even if these invitations are not unsolicited, they might be flagged by our spam filter. Sending a large number of messages in a short period of time creates a strain on our service. That may result in action being taken on your account.
Joining many servers, sending many friend requests
While we do want you to find new communities and friends on Discord, we will enforce rate limits against spammers who might take advantage of this through bulk joins or bulk requests. Joining a lot of servers simultaneously, or sending a large number of friend requests might be considered spam. In order to shut down spambots, we take action against accounts that join servers too frequently, or send out too many friend requests at one time. The majority of Discord users will never encounter our proactive spam filter, but if, for example, you send a friend request in just a few minutes to everyone you see in a thousand-person server, we may take action on your account.
Servers dedicated to spamming actions
Servers dedicated to mass copy-paste messaging, or encouraging DM advertising, are considered dedicated spam servers.
Many servers have popular bots which reward active messaging. We don’t consider these to be spambots, but spam messages to generate these bot prompts is considered abuse of our API, and may result in our taking action on the server and/or the users who participate in mass messaging. Besides cheating those systems, sending a large number of messages in a short period of time harms the platform.
Invite rewards servers
Invite reward servers are servers that promise some form of perk, often financial, for inviting and getting other users to join said server. We strongly discourage this activity, as it often results in spamming users with unsolicited messages. If it leads to spam or another form of abuse, we may take action including removing the users and server.
Bots and Selfbots
We don’t create bots to offer you free products. This is a scam. If you receive a DM from a bot offering you something, or asking you to click on a link, report it.
We understand the allure of free stuff. But we’re sorry to say these bots are not real. Do not add them to your server in hopes of receiving something in return as they likely will compromise your server. If anything gets deleted, we have no way of restoring what was lost.
Using a user token in any application (known as a Selfbot), or any automation of your account, may result in account suspension or termination. Our automated system will flag bots it suspects are being used for spam or any other suspicious activity. The bot, as well as the bot owner’s account, may be disabled as a result of our investigation. If your bot’s code is publicly available, please remove your bot’s token from the text to prevent it from being compromised.
Hacking incidents, DDoS attacks
If you believe your account has been compromised through hacking, here are some steps you can take to regain access and protect yourself in the future.
1. Reset your password.
- Choose a long password with a mix of uppercase letters, lowercase letters, and special characters that is hard to guess and isn’t used for anything else. We recommend using a password manager which can make creating and storing secure passwords extremely easy.
- If your account’s token has been compromised, reset your password to generate a new token. You should never give your account password or token to anyone. Discord will never ask for this information.
Two-factor authentication (2FA) strengthens your account to protect against intruders by requiring you to provide a second form of confirmation that you are the rightful account owner. Here’s how to set up 2FA on your Discord account. If for some reason you’re having trouble logging in with 2FA, here’s our help article.
3. DDoS (Distributed Denial of Service) attacks
A distributed denial of service (DDoS) attack floods an IP address with useless requests, resulting in the attacked modem or router no longer being able to successfully connect to the internet. If you believe your IP address has been targeted in a DDoS attack, here are some steps you can take:
- Reset your router via its manufacturer instructions.
- Unplug your modem for 5-10 minutes and then plug it back in. This can cycle your IP address to a new one.
- Contact your internet service provider (ISP) for assistance. Your ISP might also be able to tell you where the attack came from. Please note that Discord does not have this information.
- Please note: Discord never shares your IP address with other users. Bad actors might send malicious links such as IP grabbers or other scams in an attempt to get your IP address. Never click on unfamiliar links and be wary about sharing your IP address with anyone.
Discord Nitro is a paid service for a better Discord experience with lots of extra benefits. Scammers contact you on Discord, claiming that they’ve got an extra Discord Nitro account and that you can claim it via an attached link.
In some cases, scammers will ask you to link your Steam account to claim the “free Nitro.” Again, you will end up losing your Steam account. Don’t fall for it!
how to protect yourself:
- Double-check the link/URL; the domain of legitimate Discord pages should end in discord.com
- NEVER click links or attachments from unknown sources.
How Bitcoin Giveaway Scams Work?
Scammers pretend to be from legitimate companies such as KFC, reaching out to users on Discord. They claim to be holding a giveaway campaign, trying to persuade you to click on a link to get Bitcoins as a reward. Scammers use different excuses, but the tactics of Discord cryptocurrency scams are similar. Be careful when they ask you to:
- Register on a scam website.
- Enter promo codes.
- Verify accounts.
- Withdraw awards.
Once you click on the phishing link they provide, you will be taken to a website and asked to enter personal information, such as passwords, credit card numbers, or bank account details. In worse situations, malware will start to download as soon as the link is clicked.
Here are some screenshots of Bitcoin giveaway scams:
How to avoid Bitcoin Scams on Discord?
- Random messages that you can claim rewards for free are a major red flag. Something is fishy if it appears to be too good to be true.
- Report the scam to Discord officials.